Facebook
w43-2022

Here’s your weekly #databreach news roundup:​​​​

Twilio, General Electric (GE), Amazon Prime, Thomson Reuters, Australian Clinical Labs, Bed Bath & Beyond, See Tickets, and Bank Mitra.

Twilio

twilio

U.S. messaging giant Twilio confirmed it was hit by a second breach in June that saw cybercriminals access customer contact information.

Confirmation of the second breach — carried out by the same “0ktapus” hackers that compromised Twilio again in August — was buried in an update to a lengthy incident report that Twilio concluded on Thursday.

Twilio said the “brief security incident,” which occurred on June 29, saw the same attackers socially engineer an employee through voice phishing, a tactic whereby hackers make fraudulent phone calls impersonating the company’s IT department in an effort to trick employees into handing over sensitive information. In this case, the Twilio employee provided their corporate credentials, enabling the attacker to access customer contact information for a “limited number” of customers.

General Electric (GE)

The Fortune 500 electronics conglomerate has disclosed that the third party data breach occurred between February 3 and 14 of this year. The company did not become aware of the breach until February 28.

The unknown party gained access to the workflow routing service of Canon BPS, a subdivision of the camera giant that specializes in handling outsourced human resources tasks such as document processing and accounts payable.

Amazon Prime

amazonprime

Security researcher Anurag Sen found a database packed with Amazon Prime viewing habits stored on an internal Amazon server that was accessible from the internet. But because the database was not protected with a password, the data within could be accessed by anyone with a web browser just by knowing its IP address.

The Elasticsearch database — named “Sauron” (make of that what you will) — contained about 215 million entries of pseudonymized viewing data, such as the name of the show or movie that is being streamed, what device it was streamed on, and other internal data, like the network quality and details about their subscription, such as if they are a Amazon Prime customer.

Thomson Reuters

The Cybernews research team found that Thomson Reuters left at least three of its databases accessible for anyone to look at. One of the open instances, the 3TB public-facing ElasticSearch database, contains a trove of sensitive, up-to-date information from across the company’s platforms. The company recognized the issue and fixed it immediately.

Thomson Reuters provides customers with products such as the business-to-business media tool Reuters Connect, legal research service and database Westlaw, the tax automation system ONESOURCE, online research suite of editorial and source materials Checkpoint, and other tools.

The size of the open database the team discovered corresponds with the company using ElasticSearch, a data storage favored by enterprises dealing with extensive, constantly updated volumes of data.

Australian Clinical Labs

Australian Clinical Labs (ACL) has disclosed a February 2022 data breach that impacted its Medlab Pathology business, exposing the medical records and other sensitive information of 223,000 people.

ACL is an Australian healthcare company that operates 89 laboratories and performs six million tests annually, offering its services to 92 private and public hospitals across Australia.

While the firm says it’s not aware of any misuse of the stolen information, it is notifying all impacted clients individually of what data was exposed in the attack.

Bed Bath & Beyond

Bed Bath & Beyond Inc (BBBY.O) said on Friday a third party had this month improperly accessed its data through a phishing scam by accessing the hard drive and certain shared drives of one of its employees.

The big-box retailer said it was reviewing the data that was accessed so it can determine whether the drives contained any sensitive or personally identifiable information.

The home goods retailer added it has no reason to believe that any sensitive or personally identifiable information was accessed and this cybersecurity incident would likely not have a material impact on the company.

Bank Mitra

Recently a threat actor was discovered who is advertising the data belonging to the Bank Mitra scheme of the Common service center scheme of the Indian government website. The objective of the Common service center (CSC) is to deliver essential public utility services, social welfare schemes, healthcare, education, healthcare, and financial services to Indian citizens. The role of the Bank Mitra scheme is to cater to financial services under CSC.

As per the sources, this breach was discovered on 23rd October 2022 where more than 750K records have been compromised including the Name, Bank name, Phone number, and Pan number of multiple partner banks of the scheme website Bank Mitra. As per the threat actor, the data was compromised from the domain of the Bank Mitra ID card page which the partners use to download ID cards.

See Tickets

seetickets

See Tickets is a major global player in the online event ticketing business: they’ll sell you tickets to festivals, theatre shows, concerts, clubs, gigs and much more.

The company has just admitted to a major data breach that shares at least one characteristic with the amplifiers favoured by notorious rock performers Spinal Tap: “the numbers all go to 11, right across the board.”

According to the email template that See Tickets used to generate the mailshot that went to customers (thanks to Phil Muncaster of Infosecurity Magazine for a link to the Montana Department of Justice website for an official copy), the breach, its discovery, its investigation and remediation (which are still not finished, so this one might yet go all the way to 12) unfolded.